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Q And the reason that I wanted to speak to you today 
is to obtain some additional follow-up information. 

One of the things I wanted to find out is what is 
the role of an KO in the various different offices. 

A Well, prior to the reorganization -- and ISO 

7 stands for Information Security Officer -- is to be the -- 

8 we have Echelon in ISO's which we categorize dovro at the 

9 facility hospital level. Then we have Echelon II ISO's. 

10 They work directly for Office of Cyber and Information 

1 1 Security, OCis, and those individuals, we have deployed 

12 throughout the country, about 22 to 23 of them at a given 

13 time, and they act as, if you will, the first interface or 

14 the last interface for the communities out there. 

15 They came to the VA, to OCis, about 2-1/2 years 

16 ago during the first reorganization or attempted 

17 reorganization where these individuals were formerly VISN 

18 ISO'S and they came to us. That's just a quick structure. 

19 Now let me answer your question. I apologize. 

20 Q In the incident we are speaking about, the missing 

21 VA data ~ 

22 A Right. _____^_ ___ 
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1 PROCEEDINGS 

2 IHHHI^''^ y°^ name pronounced "Cardenas"? 

3 MR.CADENAS: No. TTwre is no "r" in my last 

4 nam e. It is Petro Cad enas - 

flHHHV Cadenas. 

6 MR.CADEKAS: .- Jr., C-a-d-e-n-a-s, and I am the 

7 ADAS fOT Cyber and Information Security, Department of 

8 Veterans Affairs, and also acting deputy CIO. 

^ MHMH|||.j.o^y j[s juiK 6th, 2006. It is now 

10 8:00 a.m. My name i||||||||||||||HH|HBHv 

11 Administrative Investigator . 

13 Investigations. 

14 ^^^_|__|||^ ^^^ _^^ ^^ speaking with Mr. 

15 Cadenas. 

1 6 Mr. Cadenas, I want to remmd you that you are 

17 still under oath. You were previously sworn in. 

18 Whereupon, 

19 PETRO CADENAS 

20 was recalled as a witness and, after having been previously 

2 1 duly sworn, was examined and testified further as follows: 

22 EXAMINATION 
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Q - flw employee that had that data' worked for the 

Office of - 

A Policy, Planning - 

Q - Policy, Planning - 

A — and Preparedness. 

Q - and Preparedness. And the iso for that office 



A That is correct. 

Q DoesflHHBBH|work for your office as an 

10 ISO? 

11 A No. From what I understand, since this incident, 

12 he has been reassigned to the Office of Information and 

13 Technology, and te works for Ijjljljljjj^^ 

14 third floor. 

15 You have to ~ 

17 Q Let me go back. When this incident occurred, 

18 where was he working? Who was he assigned to? 

19 A P3, if you will. 

20 Q What does that stand for? I'm - 

21 A Policy ~ 
22 
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Q Office of Policy and Planning. 
A Yeah. 
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Q Got you. 

A And Preparedness. And you have to understand, 

6 while we're going through this reorg, there is a formula 

7 that was constructed to see who came over, who didn't, and 

8 real quick in a nutshell, the formula was if you were 22 10, 

9 100 percent applied as an ISO, you came to OCIS. 22io, so 

10 percent applied, it was negotiable. If you were a non-2210, 

1 1 but you performed ISO duties, that is something that would 

12 be negotiated to see if the ISO wanted to continue in this 

13 career path. ^^^k^ 

14 Q Let's back up then. Who di(9jj||rf£ for? 

A P3. 

Q P3. He worked for them directly, this P ~ 

A That is correct. 

Q No connection to you guys? 

A No. No. Because he is a combinationlSO, we 

20 later found out the privacy officer, and the jack of all 

21 trades forlT. 
22 
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1 A Yes. 

2 Q Dated when? Just after this incident? Is that 

3 what you mean? 

4 A Before this. It's an ongoing process, about 18 to 

5 24 months. 

6 Q So it started 2 years ago? 

7 A No. It just started a couple of months ago. 

8 Q A couple of months ago. 

9 A Right. Not that there is a good time, but this is 

10 even worse timing, based on your question. 

1 1 But just 2 weeks ago or a week ago, I later 

12 learned that he was reassigned to Office of Information and 

13 Technology -- 
14 

15 Q Technology. 

16 A -und 

17 Q As an ISO, in looking in that aspect of someone's 

18 responsibilities, who is responsible for creating and 

19 issuing the rules of behavior? 

20 A That is something that is ongoing, but it is the 

21 ISO'S responsibility based off the training, the online 

22 training, infosec conferences, et cetera, that they - when 
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1 

2 

3 

4 Q The network administrator. 

5 A Right It is not uncommon for ISO duties to be 

6 assigned as other duties as assigned, as weU as the privacy 

7 officer. 

8 Q Is that common, the privacy officer in the ISO? 

9 A No. We scanned that because we -to the best you 

10 can, you got to keep those separate. So that way, there's 

1 1 on conflict of interest, and to our surprise, when my team 

12 was telling them, you need to contact the privacy officer, 

13 we found out later, in fact, he was the privacy officer, and 

14 we were just going nuts over that, and that's why my -- 

15 Q Who makes that assignment? Who designated - 

16 A His supervisor. 

17 Q Over there, they designated him? 

18 A Right, which we have no say. -niese are their 

19 local assets, not ours. 

20 Now, since the reorganization ~ 

21 Q You keep calling it reorganization. What do you 

22 mean? Like there is a current one going on or 
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1 you say creating, it is to express the rules of behavior. 

2 Example, don't write down your passwords. Be cognizant c 

3 who is around if you're talking about sensitive information. 

4 It is the ISO's responsibility to ensure that that 

5 information is disseminated along with the yearly training 

6 that all VA personnel should go under. 

7 Q And then who maintains that rules of behavior? Is 

8 it maintained by the employee, or is it maintained by the 

9 ISO? 

10 A Well, the employee has to operate ~ they should 

1 1 conduct themselves -- if you are talking about documentatic 

12 - 

13 Q Because I know it's about a 6- or 8-paged 

14 document, the ones I've seen - 

15 A Right. 

16 Q - with all the various rules of behavior - 

17 A Right. 

18 Q ~ and the employee signs something showing 

19 they've read it. 

20 A Right. And understood it. 

21 Q And understood it. 

22 A Right. 
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Q And then who maintains that, that signature page 
or that -- 

A From what I know, it's the local assets, the ISO. 
It's almost like a - if you will, like an elevator permit. 
If you want to go see the certificate, you've got to go to 
the building facility. It should be the ISO because - not 
the individual that maintains the certificate. 
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1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 

17 q'Is there policy - I'm sorry. Is there policy 

18 about that? I mean, who -- 1 mean, are they giving some 

19 guidance to the ISOs about where this is supposed to be 

20 filed or kept or ~ 

21 A To be honest with you, that I would have to check, 



Q Well, you have a copy of it, I'm sure. 
A Right. 

Q You probably should have a copy of it. 
A Right. Now, what I am expressing is my opinion, 
not actual procedure that I'm aware of. 
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Q But in your experience as someone who has the role 
as an ISO, it would be ~ 

A I.SO-- 

Q ~ standard practice would be - it would be their 
responsibility? 

A Right. The ISO is the one that keeps paper on 
everybody within their facility, VPN. VPN authorization, if 

8 there has been any incident. I mean, the ISO needs to keep 

9 a file for audit purposes. 

10 If the qiKstion is asked -- and I am speaking of 

1 1 DOD experience, which tends to be a Uttle more ~ I don't 

1 2 want to say hard core ~ both much more granular than my 

1 3 experience here at the VA 

15 Q Originally. 

1 6 A Yes. The ISO can be the one-stop shopping that 

17 you go to when you say, okay, let me see has this 

1 8 organi2ation, regardless of the size, conducted their 

19 training. It's part of the ISO's due diligence that they 

20 have to do to ensure that, hey, have you taken your 

2 1 training, you know, do you have a punch list of employees, 

22 yes, yes, no, okay, when are you going to take it. 



And one of the things that we tried to get here is that 
it's a performance measure, the last couple of years, and 
it's just -- 



Q And who sees to it that the iso receives the 
appropriate training, their roles and responsibilities? 
A It's not only their immediate supervisors, but 

8 what we do from an ocis point of view is we provide training 

9 to the Echelon it's who disseminate that information on 

10 down. 

11 As I said earlier, the Echelon it's tend to be ~ 

12 are liaisons out there to the community. So an Echelon ii 

1 3 may be within a given vis.»J or region, and they know the set 

14 of isos that fall under their area of responsibility. So 

15 whenever guidance, policy, procedure, et cetera, comes out, 

16 then they automatically should be, because it's their 

17 concept of operation, disseminating that information down. 

1 8 Also, we conduct monthly ISO meetings where it' s 

19 not mandatory because they don't work for us, but quite a 

20 fsiw of them dial in on the vants line, and that's conducted 

2 1 every month, and we keep meetings on -- minutes on those 

22 meetings, et cetera. 
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Q What is Echelon I? You said there's three 
echebns, in, n, and I. What is one? 

A Okay. Well, they seemed - they called them 
Echelon I. Those are the isos. Those assets do not belong 
to us, but they're information security officers &at are 
local assets to the medical center, the facility directs, 
8 unit, office, whatnot. 
9 

Q That would be liks^ 

A Yes. 

Q Is he an Echeton I? 

A Yes - no. Echelon iii. 

Q Oh, Ectefon iii. 

A Right. Thrse is local assets, not belonging to - 

Q Not belonging. 

A - to COS, 

Q All right. 

A Two belongs to ocis. 

Q All right. 

A And that was before the reorganization, but even 



22 when we did the formulaJ 



MALLOY TRANSCRIPTION SERVICE (202) 362-6622 



' was not classified as 

Page 9 - Page 1: 



x^\n< 



> 



Case 1:06-cv-01038-JR Document18-7 Filed 01/09/2007 Page4of12 



1 an ISO that would be transferring over to us because of his 

2 other duties. 

3 Q So it would be up to the Echelon il to disseminate 

4 training materials ^°l|||^H[H9 

5 A Right. And to point the security ISO community to 

6 our website, OCIS web portal, also to do any coordination, 

7 et cetera, because we have an -- believe it or not, we do 

8 have an excalation procedure in process to keep everybody in 

9 the loop apprised of what's going on. I mean, we even 

10 constructed that was self-reporting, a database of all the 

1 1 Echelon II and HI BOS in the entire country. We started 

12 this ~ I started this a couple of years ago because of some 

13 recently lessons learned at that time, couldn't contact 

14 anybody, didn't know, et cetera, that we had them give us 

1 5 their contact information, the niunber of percentage of their 

16 daily workload that was dedicated to ISO, their primary 

17 versus secondary functions. That's why it was easy for us 

18 to identify who should come over or not to keep 

19 administrations from refuting because it's all 

20 self-reporting. 

21 Q Let's go into the process of the VA SOC. 

22 A Yes. 



1 we had to get concurrence from the rest of the community on 

2 how we would conduct business, and our concept of operation 

3 or procedures for escalation, tracking, et cetera, is based 

4 off a U.S. C[RC and the guidance that's provided there, and 

5 as a maner of fact, I even had some team members during the 

6 genesis of that working with the U.S. circ on how to respond 

7 to an incident, et cetera. 

8 So what we first ~ what ■HjjHBv^'^ *° '^° 

9 first was get confirmation that this, in fact, was a bona 

10 fide ~ and what I mean by bona fide, in fact, it had been 

1 1 stolen. 

■■■■HI 

Q And you're talking about| 
A I mean] 



13 
14 
15 

16 Q 

17 A I'm sorry 

18 was rqwrted potential. 

HHHHf 

20 Q Right. 

21 A And it gave the information 

22 Q You had to validate? 




ause keep in mind, it 
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1 Q Now, as I imderstand the whole process, that if 

2 someone has an incident they want to report, they can go to 

3 the website or they have an e-mail address where they can 

4 report an incident. 

5 A That is correct. 

6 Q And then that e-mail box, that e-mail message is 

7 received by several individuals. 

8 A Right. 

9 Q And one individual, it's my understanding, is the 

10 lead incident. "I^^ wo^<^ ^^vHHHHV 

11 A Yes. 

12 Q So, when this incident came into the VA SOC e-mail 

13 box, I understand the process of how it's received through 

14 the e-mail. What is in place at that point forHH|||||HBH 

15 when he receives that? He has now taking -- taken on the 

16 task of following up on that incident. 

17 A Okay. For this particular incident, the header in 

18 the subject line was "Potential Loss." Through lessons 

19 learned several years ago, because when I first came on 

20 board, I was reporting everything upstairs. I said, "Look, 

21 you guys have to have a process," and also through the 

22 insistence of the community, our concept of operation had -■ 
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1 A You have to validate because if not, we — we 

2 tend to ~ not that we're gun shy, but we get hammered all 

3 the time in this office, and some activities that have 

4 happened since this incident and now has demonstrated that. 

5 I can go into a little bit of those a little later. 

6 But anyway, we had established a concept of 

7 operation that was signed off on. I have — I don't have • 

8 that with me presently, bat it was all built towards best 

9 practices and guidance from U.S. cmc as well as Came^e 

1 Mellon who is the father, if you will, of ciRC, soc incident 

1 1 handling management, and the reason why nothing was reported 

12 is we needed validation that, in fact, this bad happened, 

1 3 keq>ing in mind that the first thing tbaflBHHHBdid 

1 4 was rq>ly to him, "I need more information." 

1 5 This was reported late aftonoon. Late is like at 

1 6 1500, 3 o'clock, I believe, if I can recall correctly, on a 

17 Friday. No response. No response. No response. 

18 Monday, my team^^^^^l^pbies to contact 

1 9 him again, and I believe he actually went down and talked to 

20 hhn this time. The reply was: "I got a meeting that I've 

21 got to go to." I said, 'You're killing me here." 

22 And I didn't find out about the incident - you 
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1 may be asking this question - until tte 1 6th. Why? 

2 Because my team followed procedures. It was not validated. 

4 Q Is there anything in place - at what point in 

5 time would the incident get elevated? ^^"^'^ HlHHjP 

6 I mean, 1 understand his whole process of trying to validate 

7 before he elevates it. At what point in time would he say 

8 I've got to move this up the chain? 

9 A Once he received validation. 

10 Q So that's-- 1 mean, it's cut and dry that die 

1 1 policy is that it has to be validated first? 

12 A Yes. The example I will give you, this just 

i 3 happened this past week. I got another e-mail, hey, this 

1 4 may have happened, this may have happened, this may have 

1 5 happened back in January, reported it up because no one is 

1 6 taking any chance now. It went all the way up, I believe, 

17 to ~ I reported it iimnediatety, without the formal report, 

18 to Mr. Howard. Evaybody is getting engaged. Everybody is 

19 getting all spun up. Later found out that a privacy ticket 

20 was issued on it at that date and time back in January, and 

2 1 the information that they believed may have been released, 

22 in fact, was not once again, where validation comes into 
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A We would have notified. 
Q Okay. So" 
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1 play because, by me jtist sending it up because I was 

2 directed, I don't care what it is - send it up - everybody 

3 got all spun up and said, "Okay. Everybody stand down." 

4 There was a privacy ticket issued on this event Privacy 

5 Office investigated it. It wasn't a cyber security issue, 

6 and that's why we have to follow those processes. 

7 Q Okay. Are there any provisions to notify the 

8 Inspector General ~ 

9 A Oh, yes, 

10 Q - within your policies and practices? 

1 1 A Yes. When we know that there's ~ there is only 

1 2 so much that we can do, and my team, they've met with the 

13 U.S. CIRC on a regular basis. The IG was in here and 

14 briefed my team ~ I didn't attend that meeting - where 

1 5 they provided guidance and what should be done, what 

1 6 shouldn't be done, because it's very important if, in fact, 

17 there was an incident where something was stolen and ~ and 

18 there is something that ~ that ~ where the IG could launch 

19 an administrative or criminal, we're automatically hands 

20 off, you know, because it comes ~ 

21 Q But at what point would you notify the IG? if you 

22 had validated - 



Q Isn't - 

A Oh, absolutely, because it was infonnation that 
was stolen. 

Q Now, what was that meeting with the IG? vou said 

8 they came over here. You had a meeting. Do you remembei 

9 when that was in the process? 

10 A No. I've got to get with my team, Johnny Davis ~ 

1 1 Q Recently, though, I mean, or ~ 

12 A Yeah, a few weeks ago. 

13 Q Prior to this incident? 

14 A Yes. 

15 Q Igottogosee what-jHHHBisa 13. Right? 

16 A I believe so. 

17 Q And then he reports to ~ 

18 A Johnny Davis. I think there might be another 

19 layer, and Johnny Davis is the acting deputy, but he is also 

20 the Critical Infrastructure Protection service director that 

2 1 the sex: falls trader. 

22 Q But when this occurred, I think it was ~ it goes 
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1 froiflHHHPo Johnny Davis. It doesn't seem — I mean, 

2 don't know If there's another person in between there. 

3 A Okay. 

4 Q But you tell me. 

5 A I'm not ~ I need to go check. 

6 Q Yeah. Because ~ 

7 A There's so many moving parts these days with the 

8 reorganization, and we are also working on our own internal 

9 reorganization. So what is true is that^^f^^HHks 

10 within Mr. Davis' chain of command. ~^^^ 

11 Q Right. Okay. Because like I said, we talked to 

12 those folks, and - 

13 A Right. 

14 Q ~ I ~ I don't ~ I haven't foimd a person in 

15 between those two yet -- 

16 A Well, then - 

17 Q ~ as another line supervisor, the 14 in between, 

18 A Okay. I don't dispute - 

19 Q Johnny Davis ~ 

20 A Yeah. 

21 Q -is a 15. Right? 

22 A Right. Right. 1 won't dispute that. 
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Q What's the role of the SOC in Hines, Illinois? 
Now, one of the individuals we spoke to said the, 

4 quote/unquote, "real SOC" was in Hines, Illinois. 

5 A Yes, the primary SOC -- 

6 Q The primary SOC. 

7 A " that we're -- that we're reconstituting, that 

8 we opened April 1 5th, I believe, reopened. 

9 Q Okay. So April 15th of 2006 -- 

10 A Yes, 

11 Q - you reopened ~ 

12 A The SOC, Security Operations Center. 

13 Q In Hines, Illinois? 

14 A Yes. 

15 Q Now, what is their role in this whole - the 

16 organization between them and what's here at VACO? 

17 A Well, they report directly to us, and that falls 

18 under Mr. Davis in the Critical Infrastructure Protection 

19 organization or service. 

20 We had to reconstitute that — that effort because 

21 of the vast LLC contract that expired on March 1 6th of -- 1 

22 want to say 2006. ^ 
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1 Q What is a LLC contract? 

2 A Limited liability corporation. That's where we 

3 had a consortium of small 8(a) companies to provide 100 

4 percent. It was outsourced. This contract was awarded 

5 before anybody who is here now was involved v/ith that. 

6 Q Tliey provided the security? 

7 A Security. They provided the FTEs to man what was 

8 called the CIRC, Central Incident Reponse Capability. 

9 That's something that Mr. Brody had established through that 

10 contract. 

11 There were some discrepffljcies. You have to talk 

12 to the contracting officer about that, but that contract was 

13 terminated OT ended abtxiptly. 

14 Q So that - that ended. So you reopened a SOC 

15 office in Hines, Illinois? 

16 A Yes, ma'am. 

17 Q And that was in April? 

18 A Yes. 

19 Q And then what is their role? Do you report to 

20 them? 

21 A No. They report to us. 

22 Q They report to you. 
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1 A Right. Their primary role — they have several 

2 roles out there, but we have close to 350 IDS's deployed out 

3 there, intrusion detection sensors, and we're -- 

4 Q Is that a person? 

5 A No. That is a technology that sits out on the 

6 network to monitor suspicious or potential suspicious 

7 activities or signals or data sent back to the sOC, and now 

8 we're in the process deploying IPS, intrusion prevention 

9 sensors, out there as well because it's -- it's a proactive 

10 device that sits out there, and what I mean by proactive, it 

11 can be configured that, hey, if we're getting hit with an MS 

12 blast, we can shut down that connection right then and ther^ 

13 versus IDS is very passive, and it just ~ for lack of a 

14 better term, it looks and listens and reports back 

15 suspicious - 

Q After the fact. 
A — anomalies. 
Yes. 



Now, that information all comes back to the SOC. 
21 Keep in mind — 
22 
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1 Q Here? The SOC here or the SOC in Hines? 

2 A In Hines, the SOC in Hines, and what we have is a 

3 team of analysts. 

4 Now, keep in mind, what I am identifying to you is 

5 a concept of operation, not the current state today. Okay. 

6 Tlien I'll address, well, the other SOC car whatever. 

7 The concept of operation is to - it's a 

8 7-by-24/365 shop. TTiey're constantly monitoring, looking 

9 for anomalies, et cetera, and then that's where we also have 

10 our PKI help desk, keeping in mind we're trying to 

1 1 reconstitute everything, and contracting takes a long time 

12 intheVA 

13 ftior to that, CIP got on contract. I think it's 

1 4 called Managed Security ftactice or MSP -- 1 got to figure 

15 out what the acronym is ~ to I believe it's - starts with 

16 a "V," Verisign or anotlKr company out there, that provides 

17 this capability. So we just needed a capability to read our 

18 sensors and then report up to us any anomalies. 

19 Q So that the soc in Hines, Illinois, is looking for 

20 instructions? 

21 A Right, any ~ any anomalies out there, suspicious 

22 activity on the network. 
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Q That^s because that's where the equipment is? 

A That is correct, but we also didn't want to have 
every -- you know, we have too many corporate key assets 
here in the D.C. area,, that I said let's get it out of here, 
let's find a secure data center, and vba -- it's located at 
the VBA data center. 



Q So that's complete and separate from an incident 

10 report that would come in through the SOC e-mail box, such 

11 as-- 

12 A No. 

13 Q -- missing VA data? 

14 A No. Once it's fully staffed and reconstituted, 

15 that's where it would go. 

16 Q All right. At that time, but for now, as of 

17 today, as of 2 weeks ago - 

18 A It all comes right here. 
Q -- it all comes here. 
A Right. / 
Q All right. 



ugv.. 



19 
20 
21 

22 



1 ____=====.===, 

2 Q Well, that's where my confusion was because the 

3 one individual said -- was talking about the SOC in Hines, 

4 Illinois, and I didn't know if it came into play in -- in 

5 this particular investigation or this incident that was 

6 reported to the SOC. 

7 A No. For what -- for what you all are conducting 

8 here, everything, the SOC -- 

9 Q It was all local here? 

10 A All local here, the e-mail account that - that - 

1 1 the SOC e-mail that was received on the e-mail, it was 

12 pulled off here. 

14 Q And you're not on that box, you're not that 

15 router, you don't ~ you don't get those e-mail reports? 

VKHBHRHF 

Q The e-mail. You don't get the e-mail? 
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Q That actually had nothing to do vnth this 
incident. All right. 
A No. 



Q Tbe way that the -- it is currently configured, 

6 that office is totally separate and had nothing to do with 

7 any incident investigating for this particular situation? 

8 A I would say yes, to the best of my knowledge, 

9 because the SOC e-mail, incident e-mail, is checked on here. 

1 Once Hines is fully staffed, then it will be redirected out 

1 1 there. 
12 

13 Q Right, once it's - 

14 A Right. 

15 Q But this incident here had nothing to do with - 

16 A Right. What we're trying to do, the reason why 

17 it's here is we have to maintain some sense of continuity, 

18 Q Right. 

19 A So location is ~ is ~ 1 would suggest is not the 

20 issue because it - regardless of where it's at, it falls 

21 under that organization, but because it's not fully staffed 

22 our built out, it's here. It's checked here. 



Q You don't get the e-mail? 

A No.j 

Q Those guys - 

A — the team get that. 



Page 2 



Q - and now Johnny Davis get diat? 

A Right TIk- 

Q He did not get it prior? 

A That is correct, I believe. 



1 
2 
3 
4 

5 _______ 

6 Q In the Privacy Office, I've had some - some 

7 various different testimonies I've read where the Privacy 

8 Office used to fall under ~ under this Office of ~ your 

9 office, and then it didn't, and now is it back? 

10 A No. I know the whole history behind that. 

11 Q I don't want the whole history. 
12 
13 

14 ^.„.„,==„^ 

15 Q The short version. At the ~ in May of 2006, did 

16 the Privacy Office fall underneath your venue? 

17 A No. 

18 Q Okay. 

19 A Not as the ADAS for OCis, no. 

20 Q So it did not fall under OCIS or just ~ 

21 A No. 

22 Q Not at all? 
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1 A It's under OI&P, but not OCIS. 

2 Q Not OCIS? 

3 A Right. 

4 Q So it's a completely separate entity? 

5 A Yes, ma'am. 

6 Q All right. Is there any responsibility from the 

7 soc or through OCiS to report such an incident as this to 

8 the Privacy Office? 

9 A Yes, As a matter of fact, that's wha^ 
iO flHBH^as doing, trying to be as diligent as possible, is 

1 1 to report it there. They finally opened up a ticket, and 

12 they followed i^ by saying, from what I can recall, they 

13 would -- to make it official, they would need to hear from 

14 the Privacy Office, which drive me nuts, privacy officer, 

15 but, you know, there are a number of reporting 

16 responsibilities once an incident or an issue has reached 

17 certain levels. There are bells that go off where you need 

18 to notify, 

19 We also have a responsibility to notify, depending 

20 on the situation, the lO. U.S. CIRC. 

21 Q One of the things that we have found is most of 

22 the individuals that we speak to are saying. "Well, the SOC 



Page 30 

! had it. So I felt there vras nothing more I needed to do." 

2 A "What individuals? I don't mean names ~ 

3 Q No. 

4 A -- but what roles did they play? 

5 Q But individuals that when the question is asked, 

6 well, why didn't you elevate this or why didn't you report 

7 it to someone else or why didn't you push it up the chain of 

8 command, one of tiK things that is being said, well, we 

9 reported it to the SOC. 

10 A That's a false statement for anybody to make. 

11 Q Well, that's why I am trying to find out widi the 

12 SOC- 

13 A Right. 

14 Q - what are their responsibilities because, if you 

15 look at it for the Privacy Office -- 

16 A Right. 

17 Q -- you file -- you file a ticket with the Privacy 

18 Office. It then goes back to the privacy officer -- 

19 A Uh-huh. 

20 Q - to investigate and try and rectify the 

21 situation. 

22 A Right 
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1 Q So, when you look at the policies, there's nothing 

2 there to cause anyone to elevate to the next level to report 

3 outside the chain. So ~ 

4 A Well, you know, when you say policy, you know, to 

5 put that in writing -- and these are my own words ~ that's 

6 a ridiculous thing, I mean, it's an automatic ripple 

7 effect. For someone to say, "Well, I notified the ,SOC, and 

8 so my job here is done," you know, I don't want that 

9 individual, if they work for me, not to be working for me. 

10 You know, if I - if I find out about something, 

11 I'm letting as many people as I know that need to know 

12 because of what I say. It's a ripple effect. That's how 

13 we, more or less ~ we try to conduct business here within 

14 OCiS. we have multiple services and their functions, but it 

15 has a ripple effect across the board, meaning policy. SOC 

16 needs to be aware, or the security, the engineering side of 

17 the house needs to understand the new policies as well as 

18 the ISOS, and that's what I mean by that ripple effect. 

20 Q There might be a false sense out there, I think as 
2iHHAs talking about. Some other folks think once they 

22 report it to you guys, you had the ball, you guys are 

-^— Page 3 

1 running with it, and they really thought that you guys 

2 didn't get back to them, that it was handled. 

3 A Well, I would have to know who "them" is to give 

4 you any more information on that. 
To — for someone to say "I reported it to the 

SOC," the SOC - 



Q I'll give you an example of one individual 



A Uh-huh. 

Q He sent his e-mail to the SOC and at that point 



5 

6 

7 

8 

9 
10 
11 

12 felt "my job is done." 

13 A Then he ~ he didn't do his job, bottom line. 
14 
15 
16 

17 Q Shoe's the ~ where's the failure? I mean, if - 
J 8 A Tlie failure is constant and open communication. 

19 Q Oh, I'm not saying he didn't report it to others 

20 within his chain, but -- 

21 A No. I mean to us, so we could have validated, in 

22 fact, that it was taken. 




I mean, where did he fail? 
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1 We have never spoken to the individual, never had 

2 access to him. The police report, none of that was provided 

3 to us. To date, we still have nothing. 

4 Q So you still have an open incident that you can't 

5 close? 

6 A Well, it's because of what you hear via 

7 scuttlebutt and everything else, that's why when I was asked 

8 to do other things, I automatically disengaged and said, 

9 "No. I believe the IG is conducting a criminal 

10 investigation," and then I saw all you IG people running 

11 around. So, to me, that's -- that's a good flag. 

12 You know, we try to be -- not try. We do have 

1 3 procedures that make us be very diligent in what we do, you 

14 know, as far as not reporting up the chain. Once again, our 

15 internal process, unless it's been a validated incident, we 

16 don't go any higher with that, and that's what I meant by 

17 the communications access. 

1 8 While I reported it to -- you know, for an ISO to 

19 say I reported it to the SOC and now my job is done, that's 

20 a ridiculous statement for any ISO to say, especially if it 

21 happened on his watch within his area. He needs to - he or 

22 she needs to do the follow-up. 
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1 Q And w*at type of follow-up would be typical? 

2 A Well, that's what I meant with tte constant 

3 communication from the scxi 'my, anymore? Do I need to do 

4 anymore with this? What is it that you need ftom me?," 

5 things like that, and let me tell you, tiiis is the exception 

6 and not the rute. isos out there are very diligent, and 

7 ftiey wwk with us constantly, and we're constantly going 

8 back and forth with communication. That's what makes this 

9 whole incident so ftustrating is because it ha ppened - it 

10 was First reported on a Friday afternoon. 

11 not 



;aid, "Hey, I need more 

12 inforaiation on this," and I'm getting gigged from my 

13 management team now, senior management team. We've got to 

14 fill in the gaps between the weekend, Saturday and Sunday. 

1 5 The guy was non-responsive, what do you want, you know. 

1 6 There's only so much we can do. 

18 Q I had a question. You mentioned that you have an 

1 9 inspection team that goes out there. 

20 A RID, Review and Inspection Division. 

21 Q Right, a division ftat kind of goes out Did you 

22 guys go to the policy and planning preparedness? Did you 
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1 guys do any kind of inspection there ~ 

2 A I" 

3 Q - recently? I mean - 

4 A Sir, I will have to check, I know - 

5 Q They asked this last time. That's why I was 

6 asking. You said you were going to check, and I just want 

7 to make sure we follow up. 

8 A Oh, I'm sorry, 

9 Q That's okay. 

10 A I know they - their primary - they've been going 

1 1 out to the facilities ~ 

12 Q Right. 

13 A - and looking at them because we like to think 

14 that we have a good working relationship with the IG, and 

15 this is something I had to fight for amongst the community, 

16 and my argument was better to hear from us than the IG 

17 because the IG speaks, it's on the record, and you've got to 

18 do it now, 

19 We come out there as a courtesy, and we -- and we 

20 look at your systems, controls against past CAP reports, et 

21 cetera, to see what they've done, if they've done anything. 

22 Q To try to identify the problem, and that's good. 
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1 Could you check on that and get back to us? 

2 A I'm sorry. I'll- 

3 Q I want to make sure we get that. 

4 A RIDP3. 

5 Q I have one more question. Bear with me for a 

6 second here. 

7 A Sure. 

8 And I will tell you why you're looking for your 

9 question there, sir. Since this incident, because the 

10 individtial vralked home, hand-carried, sneakemet, and we 

1 1 have been working with the U.S. CIRC and others. I mean, I 

12 know they're changing some of their procedures as well. 

13 Q CIRC? 

14 A The U.S. CIRC. 

15 Q Really? 

16 A Yeah. Because this does not ~ this is like an 

17 insider ~ insider threat. It is not a cyber security 

18 incident, per say, with the individual taking it out. 

19 Now, it could be gigged as a security violation of 

20 best practices or guidance because of the policies or 

21 procedures, but everybody is going aroimd saying we got the 

22 proper authorizations to give them access and all this -- 
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1 Q Here, and then telecommuting comes Into play here. 

2 A Well, the question was asked how many 

3 telecommuters versus vpn users. See, there's a vast 

4 difference. Actual bona fide telecommuters, I think the 

5 number that was given on the Hill was 6,000, 6,500. The 

6 question that was not asked, okay, well, how many VPN users 

7 are there. 

8 Q How many? 

9 A Around 40,000. 20,000 are active, and that's 

10 remote. 

11 Q Right. 

1 2 A You know, so people are using a play on words. 

13 Now, it's not me, and I'm sitting there going come on, 

14 answer the question that they're asking, fuU disclosure 

15 liere. 

16 Q And that could be personal computers that have 

17 that access? 

18 A Yes. And once again, that's something I addressed 

19 3 years, 6 months ago, it was not cost effective to replace 

20 with personal Government computers. It was not cost 

21 effective. You dcm't know how we do business. You're 

22 affecting patient care. 
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1 said. "Who is checking on these people?." and all I got was 

2 grief, and that's all I've gotten for the past 3 years, 6 

3 months, and let me - 

4 Q That's how long you've been here. Right? 

5 A Oh, yeah. I'm tracking that. 

6 Q Let me ask you. Databases. Are you familiar with 

7 aU the databases like birls and all those different ones? 

8 A Absolutely not 

9 Q Soyou don't have any idea what these things 

10 contain, the amount of records? 

11 A Look, for what I do here, I couldn't go past a 

12 5-minute discussion on HealtheVet, VistA. or any other major 

1 3 programs out there. 

14 Q BiRLS, you have no idea what that contains? 

15 A I have an idea now. 

16 Q Now you do, I'm sure. 

17 A Yeah, but not prior to. I mean, we try to do our 

18 C&A of AAC we're a data center, we're a franchise, you 

19 don't need to come down here. You know, I wish a people 

20 would walk a mite in my shoes. 

21 Q Have you been down to Austin? I mean - 

22 A Yes. 
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1 Another issue that I'm trying to address, I have 

2 been addressing, is saiding potential sensitive information 

3 overseas, vha has a contract widi an Austrahan company to 

4 read radiology transcripts, medical transcripts, to 

5 interpret those - are sent over the Atlantk side by the 

6 prime where they sub the work out because they get 23 cents 

7 a line. They can get it, sub it out for 5 cents a line. 

8 The medical devices, because these are global companies that 

9 we woric with, we' ve caught people dialing in from Israel 

10 because they're paforming preventive maintenance on medical 

1 1 devices. We shut it down. 

1 2 China -- excuse me. CHiina, Canada, and I just got 

1 3 one e-mail, the iso would like information on how do you 

14 handle background investigations for foreign nationals. I 

1 5 mean, it's an educational process that we're going through 

1 6 here, and in the St. Petersburg Time - I don't know if you 

17 read that -- the sex offender that was hired as a vba or VHA 

18 employee working. He's working with middle and high school 

19 kids because they're candy stripers. I brought that up. 2, 

20 3 months ago, over the Fips 201 Piv program, hr personnel, 

21 they woe reading me the riot act ova- that. I said. "Look, 

22 we have to do our due diligence or we become liable." I 
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Q -- you've had the grand tour? 
A I've had a lovely tour. 

[ don't have anything else ~ 

|; I don't either. 
• unless you do. 
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Q We may call you with a follow-up question because, 

8 like I said, we're putting this whole thing together, and 

9 thet« may be one thing that somebody ~ 
10 A Not a problem. 

VHHHBB 

12 Q I'll shoot you ~ I'll probably shoot you an 

13 e-maii if I have any follow-up qtiestions. 

14 A CScay. I do have one action from you to see if the 

15 RID has recently 
16 

17 Q Yes. 

18 A - or ever - 

19 Q - or ever — 

20 A - visited P3. 

21 Q Right. Yeah. Recently or ever, even prior to you 

22 getting h ere, at least it would be nice to know the last 
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1 time you were there. Well, you instituted that, I think you 

2 said, in [inaudible]. 

3 A Right, You know -- 

4 Q But prior to that, there wasn't any kind of 

5 program like that? 

6 A Right. Right. 

7 Q Okay. 

8 A Technically, this is the easiest job I've ever 

9 had, single-level mode, all unclass. It's the bureaucracy 

10 that's made it the toughest job I've ever had. You wouldn't 

11 - you know, I'm saying this for the tape too. You wouldn't 

12 believe the roadblocks I get every time, every time. 

1 3 Now, my biggest concern is what I said the 

14 knee-jerk reaction, well, we need to get encryption, we need 

15 to do this. Well, many, many years of neglect cannot be 

1 6 Fixed in one week, and we have to go back doing this the 

17 right way because, if vre don't - people are just looking, 

18 yeah, we've got policies, but if not implemented correctly, 

19 meaning let's get out of this knee-jerk mode, do it right, 

20 do it systems engineering, systems programming - there's a 

21 right way to do it - we're stiU going to fail, and that's 

22 what I meant by the knee-jerk reaction right now. 
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You know, they're telling me the sky is die limit 
for you, but they're not willbg to give me the time to do 
it properly. 

Q Seize the moment. 
A Yeah. 

ikay. 
I'm going to go ahead and end your 

testimony. 

MR.CADENAS: All right. 

[Whereupon, the sworn testimony of PEDRO CADENAS. 

JR., concluded.] 
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From: Cadenas, Pedro 

Sent: Tuesday. June 6, 2006 1 0:49 AM 

Subject: Reply to follow up question. 



Q. Has the Review and .nspeClon Divi*n (RID) perfonned any reviews Wilkin .i,e Office of Policy, Planning, and 
Preparedness (P3)? 

A NO RID reviews systems (major applications or general support systems) that are reported. P3 has not 
reported any system that meets the requirement for review. 

Pedro Cadenas, Jr. 

ADAS for Cyber and information Secunty 

Department of Veterans Affairs 
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